1 //--------------------------------------------------------------------------
2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
3 // Copyright (C) 2003-2013 Sourcefire, Inc.
4 //
5 // This program is free software; you can redistribute it and/or modify it
6 // under the terms of the GNU General Public License Version 2 as published
7 // by the Free Software Foundation. You may not use, modify or distribute
8 // this program under any other version of the GNU General Public License.
9 //
10 // This program is distributed in the hope that it will be useful, but
11 // WITHOUT ANY WARRANTY; without even the implied warranty of
12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 // General Public License for more details.
14 //
15 // You should have received a copy of the GNU General Public License along
16 // with this program; if not, write to the Free Software Foundation, Inc.,
17 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 //--------------------------------------------------------------------------
19
20 #ifdef HAVE_CONFIG_H
21 #include "config.h"
22 #endif
23
24 #include "detection_filter.h"
25
26 #include "hash/xhash.h"
27 #include "log/messages.h"
28 #include "main/thread.h"
29 #include "utils/util.h"
30
31 #include "sfthd.h"
32
33 using namespace snort;
34
35 static THREAD_LOCAL XHash* detection_filter_hash = nullptr;
36
DetectionFilterConfigNew()37 DetectionFilterConfig* DetectionFilterConfigNew()
38 {
39 DetectionFilterConfig* df =
40 (DetectionFilterConfig*)snort_calloc(sizeof(DetectionFilterConfig));
41
42 df->memcap = 1024 * 1024;
43 df->enabled = 1;
44
45 return df;
46 }
47
DetectionFilterConfigFree(DetectionFilterConfig * config)48 void DetectionFilterConfigFree(DetectionFilterConfig* config)
49 {
50 if (config == nullptr)
51 return;
52
53 snort_free(config);
54 }
55
detection_filter_test(void * pv,const SfIp * sip,const SfIp * dip,long curtime)56 int detection_filter_test(void* pv, const SfIp* sip, const SfIp* dip, long curtime)
57 {
58 if (pv == nullptr)
59 return 0;
60
61 return sfthd_test_rule(detection_filter_hash, (THD_NODE*)pv,
62 sip, dip, curtime, get_ips_policy()->policy_id);
63 }
64
detection_filter_create(DetectionFilterConfig * df_config,THDX_STRUCT * thdx)65 THD_NODE* detection_filter_create(DetectionFilterConfig* df_config, THDX_STRUCT* thdx)
66 {
67 if (df_config == nullptr)
68 return nullptr;
69
70 if (!df_config->enabled)
71 return nullptr;
72
73 df_config->count++;
74
75 return sfthd_create_rule_threshold(df_config->count, thdx->tracking,
76 thdx->type, thdx->count, thdx->seconds);
77 }
78
detection_filter_init(DetectionFilterConfig * df_config)79 void detection_filter_init(DetectionFilterConfig* df_config)
80 {
81 if ( !df_config->enabled )
82 return;
83
84 if ( !detection_filter_hash )
85 detection_filter_hash = sfthd_local_new(df_config->memcap);
86 }
87
detection_filter_term()88 void detection_filter_term()
89 {
90 if ( !detection_filter_hash )
91 return;
92
93 delete detection_filter_hash;
94 detection_filter_hash = nullptr;
95 }
96
97